[Reproducible-builds] Bug#763822: Moving towards buildinfo on the archive network

Ximin Luo infinity0 at debian.org
Sun Aug 21 18:31:00 UTC 2016

Jonathan McDowell:
> On Sun, Aug 21, 2016 at 04:01:00PM +0000, Ximin Luo wrote:
>> You have this backwards.
>> "Being able to verify individually who build each of the packages I'm
>> running"
>> is *exactly* what is required to *not* have to 
>> "attribute trust of *all* of the people who packaged something I have
>> installed."
>> and that is one major (probably the main) goal of R-B.
>> Now that I point this out - do you agree,
> No. What lets me not care about who actually built the packages and have
> to attribute trust to them is that I have the build information, which
> allows me to verify I get exactly the same output from the provided
> source. [..]

OK, I explained things badly. For you to actually strictly verify everything,
yes you would have to build everything yourself. But then you should just run a
source-based distribution and forget about other people's binaries completely.

We do also want to provide quite strong security properties, even for people
that don't want to build every single binary for themselves. That is one very
key point of R-B. If we assume everyone will check reproducibility of their own
binaries, this renders the whole exercise of R-B pointless.

Thanks for pointing this out, so that I explain it better. I'm completely at
fault here.

Signatures provide a way to for us to aggregate public trust on binaries that
don't build themselves. So it's important to have multiple and *very direct*
meanings of what-is-being-signed, to avoid a transitive-trust situation.


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

More information about the Reproducible-builds mailing list